diff options
author | Kevin Rocard <krocard@google.com> | 2017-11-13 11:15:27 -0800 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2018-02-08 02:41:00 +0300 |
commit | d43b790fe4e45c0a0ab598e169672af0904dc0d3 (patch) | |
tree | 895ee3976fd1c9d09b3ed1bbf3a34fcf7f3692cc /media/libstagefright/include/SoftVideoEncoderOMXComponent.h | |
parent | 19d12edc1aad955ecd2e2b1bc786f1e7acb5fe0c (diff) | |
download | frameworks_av-d43b790fe4e45c0a0ab598e169672af0904dc0d3.tar.gz frameworks_av-d43b790fe4e45c0a0ab598e169672af0904dc0d3.tar.bz2 frameworks_av-d43b790fe4e45c0a0ab598e169672af0904dc0d3.zip |
IAudioPolicyService: Add attribute tags sanitization
When audio_attributes_t was read from the binder parcel,
the string tags field was copied without checking that
it contained a '\0'.
This could lead to read past the end when tags were used.
This patch always adds a '\0' at the end of the buffer when
deserializing.
Bug: 68953950
Test: manual playback/record
Test: send binder payload without \0 in tags attribute, check that only
AUDIO_ATTRIBUTES_TAGS_MAX_SIZE - 1 char are printed.
Change-Id: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934
Merged-In: I285258cbf7cfaf26b191d1f31b3b1e2d724c4934
Signed-off-by: Kevin Rocard <krocard@google.com>
(cherry picked from commit 39fdbd097a147b5c719dac9ad2759e6c44eb3a4e)
CVE-2017-13232
Diffstat (limited to 'media/libstagefright/include/SoftVideoEncoderOMXComponent.h')
0 files changed, 0 insertions, 0 deletions